Discover how UK GDPR impacts businesses, including Father Christmas!
Dashing through the snowman’s land of data privacy? CyXcel were recently instructed by a certain red-suited, barrel-chested, bearded gift-giver to troubleshoot some of his data protection queries, (he must have been following CyXcel’s LinkedIn and realised he had some room to improve). Ever the good-spirited chap and keen to share with the whole country the things he’s learned, Father Christmas has given us special dispensation to share his biggest queries and learning experiences. You heard it here first!
Firstly, Mr Clause was concerned to read, while munching on a mince pie and supervising his elves in the workshop, that there was a growing awareness among the populus of data rights. Would mass use of data rights mean it is game over for Santa?
Possibly yes! Santa’s business model is wholly dependent on careful management of demand given limited supply. A mass exercise of the UKGDPR Art 18 right to restrict processing could nullify the naughty list. Like any organisation it is crucial that Santa gets expert advice when dealing with data rights requests or risk serious business interruption!
Secondly, St Nick wanted help to navigate the legal and regulatory regime, but he ultimately had one question: is he a GDPR hero or GDPR outlaw?
GDPR outlaw! Under Article 5(1)(b) UKGDPR data must be collected for specified, explicit, and legitimate purposes and not be further processed in a manner that is incompatible with those processes. Father Christmas gets kids’ names and address because they want presents, but when he monitors their behaviour he then uses that data to deliver some of them coal instead!
After quaffing a rather alarmingly large glass of milk with a whisky chaser, and after brushing carrot crumbs from Rudolph’s muzzle, Kris Kringle had a sudden realisation: “I basically operate a delivery outfit, but I don’t use front doors or streets: even when I’m dashing through the snow, o’er fields and so on, my front door is the chimney: why am I collecting kids’ addresses?! Am I a logistics data fail or data exemplar?”
Fail! Santa and his team exclusively deliver via airborne roof drop off. Yet their database derived from kids’ letters to Santa contains millions of door numbers that are of absolutely no use to the service. UK GDPR Art.5(1)(c) requires data processed to be limited to what is necessary. Santa urgently needs CyXcel’s help to cleanse his system of door numbers and replace them with chimney co-ordinates!
Nobody knows better than old Pere Noel that business nowadays is increasingly a global affair. “Why am I even bothering with UK GDPR?! I’m in Lapland!” he chortled, (I don’t think that whisky earlier was his first….). “Does UK GDPR even apply?!”
Whether UK GDPR applies to a particular business will depend on a number of factors, but for Father Christmas it definitely does! UK GDPR can apply to businesses outside of the UK: Article 3(2) UK GDPR provides that you are caught if you either (1) offer goods and services to UK resident persons (even for free) or (2) monitor the behaviour of persons in the UK. Between gift delivery and the naughty and nice list Santa is bang to rights!
But don’t worry, Christmas isn’t cancelled because of some irregularities in Father Christmas’ data protection practices! Thankfully, he took advice in good time this year and CyXcel has helped him remedy and improve his compliance. He was happy for us to share this endorsement:
“Ho, ho, ho! Thanks to CyXcel I am confident that I can continue to deliver joy (and less coal) to boys and girls across the land – free from worry that I will face enforcement action from the ICO! Merry Christmas to all, and to all a good data hygiene practice!”
For further information on cyber attacks and data related incidents contact our GDPR solicitors.
